How to Survive an EHR Meaningful Use Audit

Creating and keeping the right documents is key to answering reviewers' questions about electronic health record compliance.

Andrew Pasternak, MD, MS

Fam Pract Manag. 2013 Nov-Dec;20(6):7-11.

Author disclosure: no relevant financial affiliations disclosed. Dr. Pasternak acknowledges the assistance of e-MDs and HealthInsight, the Medicare regional extension center that serves Nevada, for their assistance in reviewing this article.

Article Sections

In 2011, the Centers for Medicare & Medicaid Services (CMS) implemented the meaningful use (MU) program to promote the use of electronic health records (EHRs) in hospitals and physician offices. If measured by how many physicians currently use EHRs, the program has been successful; the percentage of offices using an EHR has increased from 48 percent in 2009 to 72 percent in 2012.1

As background, MU Stage 1 offers financial incentives to independent physicians who can prove that they have completed 15 core objectives and five of 10 menu objectives for how they use EHRs as well as report certain clinical quality measures. Medicare-eligible physicians who are not MU compliant by 2015 will receive a penalty to their reimbursements.2

Our two-provider practice had used our EHR system (e-MDs Solution Series) since opening in 2005. We were excited when the MU program was announced because we felt that we were ahead of other offices with regards to EHR use, and one of our primary goals for 2011 was to become one of the first practices in Nevada to complete the attestation process for the MU program. Although the early focus was on larger health care systems, not independent practices, we wanted to demonstrate that small practices are the most adept at incorporating new technologies. We did realize, however, that we needed some outside support given our size. We worked very closely with our vendor and HealthInsight, the Medicare regional extension center (REC) that serves our state. Because MU was a new program, we were all at the same point on the learning curve. Part of the fun of reaching our goal was the collaborative learning between our office, our vendor, and HealthInsight.

In February 2011, we began to run weekly reports on our MU criteria to measure our progress. Initially, we did have to make a few small adjustments to aspects of our workflow and documentation. Three months later, we ran our 90-day reports and submitted our documentation to CMS for Stage 1 MU attestation. Our only “glitch” was that we incorrectly entered the dates of attestation for one of our providers. We only noticed this during the attestation for the second provider, and we called the MU hotline immediately to notify them of this issue. In our recollection, we were told not to worry about it too much and that they really couldn't make any changes on their end.

The audit process

In November 2012, the accounting company Figliozzi and Company notified us that we had been selected for a random audit, one of the up to 10 percent of all MU program participants that CMS has said it plans to review.3 We were given three weeks to upload certain information to a secure website set up by the auditors.

That information included proof that we possessed a certified EHR system, such as a copy of the vendor's licensing agreement or invoices from when the system was purchased; whether we saw patients at more than one office and, if so, whether we used an EHR at each location; and supporting documentation used to complete the attestation module responses.

The documentation could include either a report from our EHR system or screenshots to support the yes/no measures. If these reports did not include evidence that they were generated by the EHR, such as including the EHR logo, we also had to provide step-by-step screenshots showing how the reports were generated.

One month later, after reviewing the information we provided, the auditors responded by requesting more information on many of the items. For example, they asked for verification of which version of our EHR we were using at the time of attestation (our invoices showing that we had an active license weren't enough); additional screenshots showing how we generated reports (our EHR system didn't include the logo); screenshots documenting that some of the yes/no measures, such as whether our EHR identified drug/drug interactions, were functional during the entire attestation period; screenshots documenting the actual exchange of key clinical information (rather than screenshots that showed our system is capable of exchanging such information); and more specific evidence about our security risk analysis, including a signed and dated evaluation.

For reasons unclear to us, the numerators and denominators in many of our reports had been transposed from one provider to another provider, so we also needed to provide additional information reconciling these differences. Finally, questions remained about some of our official dates of attestation due to our initial error.

At this point, we were given only one week to provide the requested information. Because we needed some additional information from our EHR vendor, we requested and received an additional week, and we were able to meet the deadline.

Because we were one of the first offices to get audited, the process was a learning experience for our EHR vendor and HealthInsight as well. A few of the requested items had our office, HealthInsight, and our EHR vendor scratching our heads as to how we were going to provide them. This was especially true for some of the criteria that didn't require a report but was a yes/no measure (e.g., drug interactions being monitored and clinical decision support rules in place).

In May 2013, six months after we were first notified of the audit, we received a final request for a few additional documents and clarifications. Unfortunately, our EHR vendor had changed the way one of our reports captured data since May 2011, making it difficult to replicate some of our previous reports. However, with assistance from the vendor, we reinstalled the old reporting mechanism and reran some reports to the satisfaction of the auditors. With that, we passed our audit! CMS has said that providers that fail an audit will have to pay back any incentives they've received and, if fraud is detected, could face civil and criminal penalties.

What we learned

This audit taught us a number of things and spurred a number of changes in our operations, changes that most practices will have to at least consider as they pursue Stage 1 MU incentives and prepare for Stage 2 MU in 2014:

Take lots of screenshots, and save all your reports and documentation. We had an easy time getting copies of our MU reports to the auditors because we had saved all of the original reports at the time of attestation on the advice of HealthInsight. We were also fortunate that our office manager jotted down the date, the name of the person he talked to at CMS, and the case number when we called about accidentally entering the incorrect attestation dates for one of our providers. I'm not 100 percent sure I would have done the same thing, but having this evidence was invaluable. With a few of the other items we were asked to document, such as exchange of clinical information, taking more screenshots of what we did would have been helpful. We also plan to take screenshots to support our answers to any yes/no measures at both the beginning and end of our attestation periods from now on. Also, signing and dating everything, including the security analysis, will help, especially for clinics that may have staff or information technology turnover.

DOCUMENTATION RECOMMENDATIONS

Most physicians supplying information for a meaningful use audit will provide reports or other source documents generated by their certified electronic health record (EHR) system. These reports should, at a minimum, include the numerators and denominators for percentage objectives, the time period that the report covers, and evidence that the report was generated for the physician (such as the National Provider Identifier, provider name, or practice name). For “yes/no” objectives, some additional records may be required.

One or more screenshots from the certified EHR system that are dated during the EHR reporting period selected for attestation.

Ambulatory clinical quality measure reporting

A report from a certified EHR system to validate all clinical quality measure data entered during attestation.

Electronic exchange of clinical information

Dated screenshots from the EHR system that document a test exchange of key clinical information (successful or unsuccessful) with another provider of care during the reporting period.

A dated record of successful or unsuccessful electronic transmission (e.g., email or screenshot from another system)

A letter or email from the receiving provider confirming a successful exchange, including specific information such as the date of the exchange, name of providers, and whether the test was successful.

Protection of electronic health information

A report that documents the procedures performed during the security risk analysis of the EHR and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider's system (e.g., National Provider Identifier, CMS certification number, provider name, or practice name).

Drug formulary checks

One or more screenshots from the certified EHR system that are dated during the EHR reporting period selected for attestation.

Lists of patients by specific conditions

A report from the certified EHR system that is dated during the EHR reporting period selected for attestation. Patient-identifiable information should be masked/blurred before submission.

Dated screenshots from the EHR system that document a test submission to the registry or public health agency (successful or unsuccessful). Should include evidence to support that it was generated for that provider's system (e.g., National Provider Identifier, CMS certification number, provider name, or practice name).

A dated record of successful or unsuccessful electronic transmission (e.g., email or screenshot from another system). Should include evidence to support that it was generated for that provider's system (e.g., National Provider Identifier, CMS certification number, provider name, or practice name).

A letter or email from the registry or public health agency confirming the receipt (or failure of receipt) of the submitted data, including the date of the submission, name of parties involved, and whether the test was successful.

Exclusions

Report from the certified EHR system that shows a zero denominator for the measure or otherwise documents that the provider qualifies for the exclusion.

One or more screenshots from the certified EHR system that are dated during the EHR reporting period selected for attestation.

Ambulatory clinical quality measure reporting

A report from a certified EHR system to validate all clinical quality measure data entered during attestation.

Electronic exchange of clinical information

Dated screenshots from the EHR system that document a test exchange of key clinical information (successful or unsuccessful) with another provider of care during the reporting period.

A dated record of successful or unsuccessful electronic transmission (e.g., email or screenshot from another system)

A letter or email from the receiving provider confirming a successful exchange, including specific information such as the date of the exchange, name of providers, and whether the test was successful.

Protection of electronic health information

A report that documents the procedures performed during the security risk analysis of the EHR and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider's system (e.g., National Provider Identifier, CMS certification number, provider name, or practice name).

Drug formulary checks

One or more screenshots from the certified EHR system that are dated during the EHR reporting period selected for attestation.

Lists of patients by specific conditions

A report from the certified EHR system that is dated during the EHR reporting period selected for attestation. Patient-identifiable information should be masked/blurred before submission.

Dated screenshots from the EHR system that document a test submission to the registry or public health agency (successful or unsuccessful). Should include evidence to support that it was generated for that provider's system (e.g., National Provider Identifier, CMS certification number, provider name, or practice name).

A dated record of successful or unsuccessful electronic transmission (e.g., email or screenshot from another system). Should include evidence to support that it was generated for that provider's system (e.g., National Provider Identifier, CMS certification number, provider name, or practice name).

A letter or email from the registry or public health agency confirming the receipt (or failure of receipt) of the submitted data, including the date of the submission, name of parties involved, and whether the test was successful.

Exclusions

Report from the certified EHR system that shows a zero denominator for the measure or otherwise documents that the provider qualifies for the exclusion.

The auditors have a job to do. Obviously the words “Medicare audit” are not high on the list of things any physician wants to hear. Much like a lawsuit, an audit may feel like a personal attack to physicians. The entire six-month process required a fair amount of time – we estimate about 30 hours – and energy for us to get our requested documentation together, which pulled our providers and staff away from patient care and other professional projects. Having said that, the auditors were always available by phone and email. They were also very receptive to questions we had, especially after the initial request for information. This may sound like heresy, but we actually found them quite pleasant to work with given what we had to go through. While the process was stressful for us at times, it helped to keep in mind that the auditors are doing their job of trying to find offices that fabricated MU data to get the financial bonus. As one of the offices that put in a lot of work to meet our goal, we applaud CMS going after the cheaters.

Have a good relationship with your EHR vendor and other outside supporting organizations. As a small primary care office, we would not have been able to pass this audit without the support of our EHR vendor and HealthInsight. Larger groups may have enough internal resources to respond, but smaller practices should look for opportunities to partner with external organizations.

Auditors look at things differently than physicians. We were amazed that the auditors wanted evidence that some of the functionality we use every day was indeed operable for the entire period of attestation. Initially, they were also asking us to prove that we had at least 80 percent of our patient records in our EHR. On the surface, that sounds easy. But since we use our EHR for 100 percent of our patients, it was a challenge proving that we didn't have any patient records still only on paper. Try proving something doesn't exist to an auditor! We ultimately just had to write a policy letter saying that all of our patients have records in our EHR and that we have no paper charts.

Things change a lot in 18 months. Since we initially submitted our attestation, our EHR vendor has given us two or three upgrades, requiring modifications in many of our reports and the way we do things. Also, since our initial attestation period in early 2011, there has been a lot more clarification on some of the rules. Again, having more screenshots and documentation at the time of attestation would likely have helped speed along our audit.

Checking the boxes is important. There's no way around it; more and more physicians, nurses, and hospitals are being judged on what we document in addition to what we do. The reality is that if we check only half of the boxes, we won't earn the MU incentives. But if we check 50.1 percent of the boxes, we will.

Looking ahead to Stage 2

Will we be an early adopter of new technologies when Stage 2 rules go into effect in 2014? Our office prides itself on being a leader in EHR use within our community, and, because of this, we pushed hard for our staff and providers to be one of the first clinics to achieve the Stage 1 incentives. While we are proud of this, we also feel we were at a disadvantage in the audit process because everybody (including the auditors) was going through it for the first time. We'll probably want to forge ahead and be leaders for Stage 2, but the idea of riding on others' coattails this time around is tempting.

Will the MU bonuses in years four and five be worth the trouble it will take to earn them? We only had to fine-tune a few things within our practice to meet the Stage 1 criteria. The Stage 2 criteria are definitely going to be tougher. Many of the requirements emphasize practices using their EHRs to exchange more data with outside entities. We are in the process of establishing an interface with a Health Information Exchange, which will be essential for most practices to meet Stage 2 criteria. Our goals are to forge ahead because we strongly believe an improved system of information exchange is going to be important for health care; however, if we could have just cared for patients instead of gathering documents for this audit, we could have easily generated the $2,000 in incentive payments available from CMS for MU year five.

About the Author

Dr. Pasternak is founder of the Silver Sage Center for Family Medicine in Reno, Nev.

Author disclosure: no relevant financial affiliations disclosed. Dr. Pasternak acknowledges the assistance of e-MDs and HealthInsight, the Medicare regional extension center that serves Nevada, for their assistance in reviewing this article.